Apple WWDC ’97 Steve Jobs Closing Kynote. So full of stunning insights and vision, that it’s impossible to give a single quote. Except possibly:
To focus is, saying ‘no’.
Compare those 1997 ideas with their implementation. Stunning.
Microsoft’s Trustworthy Computing product manager, Tim Rains, observed that a number of countries had been doing particularly well in Microsoft’s annual Security Intelligence Report. So they asked their local teams for potential reasons behind the stats.
Answer from Austria by Leon Aaron Kaplan, CERT.at:
“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”
Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:
There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers
Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.
Lessons from Germany and Japan.
1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low
Tim Yeaton on mashable.com. Let’s ignore the fact that this the article is a piece of journalism in which the author implicitly praises one of his business outlets.
Another pivotal change is the fact that enterprise IT organizations are now discovering the need to “go social” and join communities as a strategy for leveraging and using more open source software, especially mission-critical components. This significant trend reflects the reality that open source use is becoming a competitive requirement. Even within the firewall of an enterprise, the trend toward collaborative development to share best practices, facilitate code reuse, and enhance developer productivity is escalating rapidly. …
While social development isn’t a challenge for Gen Y developers, it still presents management challenges for enterprises, especially larger ones. Moving at web speed and using social tools still requires some adjustment. For example, new college hires expect to be community participants, yet large enterprises may not be comfortable with this level of transparency. Although open source projects are based on the notion of transparency, collaboration and meritocracy, some corporate policies may prohibit or limit this philosophy, just like some corporate cultures may resist the trend toward openness in development.
Abstracting from software development: We’ll observe that functional units of larger organisations ever more connate with distinct communities and attempt to reap the fruits of theses communities. The trick is to identify your organisation’s gems and me-too’s to achieve the maximum degree of openness without compromsing your business model.
Anonymous utilises meritocracy, Max Halupka and Cassandra Star, argue. An excerpt from the Abstract:
Anonymous employs aspects of meritocracy in formulating collective decisions. With all members utilising the same user-name, individualism is nonexistent. As such, the merit of an argument is based solely on its content as opposed to a pre-constructed perception of the individual and their perceived history or standing in the group. Furthermore, an individual’s mastery of the group’s culture denotes their involvement within the community and the level of their understanding in relation to its founding ideology.
That’s gibberish. Meritocracy inherently requires the ability to identify a person or at least an online persona. Meritocracy is about achieving reputation over time by certain actions of the reputable individual and the expectations and interests of the distinguishing group and the transfer of authority to the reputable person by the group. But if all individuals run around in Guy Fawkes masks and call themselves Anonymous, how do you tell the reputable person apart from the schmucks? Well, they have their leaders du jour who lead ad hoc and thereby rise through the structureless and leaderless ranks and achieve authority.
Anonymous though should not be considered a true example of a meritocracy. We argue that Anonymous utilises elements of meritocracy within its democratic decision making process, specifically the concept of merit4. These elements are drawn upon to construct an ad hoc hierarchy, filter community communications and dictate an individual’s level of involvement in the creation of multimedia pertaining to a specific cause. …
Comments which are seemingly better informed have the potential, in this instance, to influence the opinions and direction of the community as a whole as opposed to those which denote a presence of ignorance or unrealistic expectations.
Is a system that allows for taking the lead ad-hoc based on superior skills a meritocracy? There are similarities, but I doubt it’s a meritocratic system.
The art of statistics – more calls, more cyber:
Homeland Security Department (DHS) of the U.S. has said that the number of cybercrimes has sharply risen as compared to previous records. The DHS said that the cyber experts working on the Control System Security Program have tackled 342 requests for assistance so far this year, while the number of such requests in 2010 was only 116, deploying the Emergency Response Team seven times this year as compared to only once or twice in previous years.
Om Malik asks David Ulevitch, CEO of OpenDNS and facilitator of phishtank.com, about his view Amazon’s Silk browser. Next to the optional classic end-to-end browsing mode, the browser can route all the traffic via Amazon’s cloud machines to “optimize and accelerate the delivery of web content” (Amazon Silk FAQ), to “troubleshoot and diagnose Amazon Silk technical issues” (Amazon Silk Terms and Conditions). David replies:
I think it’s brilliant. Not sure if people are wary of Amazon doing it since they will see all your traffic but SOMEONE should be doing this. Performance is one reason, but security benefits could be added too. Ultimately I think the idea of decoupled browsing makes a lot of sense. I’d rather a remote exploit run in a VM in the cloud instead of compromising my mobile device and rooting my phone.
While there is some ambiguity in Ulevtich’s wording, my interpretation is that he supports the idea of centralised access points for web surfing end users, which function as kind of content washing machines deleting malware, phishing sites and similarly insecure web content.
Will the sanitizers coalesce with the privatizers? Chris Espinoza:
The “split browser” notion is that Amazon will use its EC2 back end to pre-cache user web browsing, using its fat back-end pipes to grab all the web content at once so the lightweight Fire-based browser has to only download one simple stream from Amazon’s servers. But what this means is that Amazon will capture and control every Web transaction performed by Fire users. Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet.
Fire isn’t a noun, it’s a verb, and it’s what Amazon has done in the targeted direction of Google. This is the first shot in the new war for replacing the Internet with a privatized merchant data-aggregation network.
And what does this from Amazon’s Silk FAQ mean:
What about handling secure (https) connections?
We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://example.com).
Irrespective of David Eaves’ speculations about the underlying motives of the U.S., UK and the remaining Open Government Partnership cosigners, internet security certainly is a subfield of strategic foreign policy thinking. On the Atlantic Council website, John Healey has summed up the current status quo of the discussions for cybersecurity treaty. The Sino-Russian UN proposal for an “International Code of Conduct for International Security”. Healy has an excerpt addressing Twitter revolutions (Russia’s and China’s noospheric soft belly) …
The Russian and Chinese proposal asks for nations to pledge to
… prevent other states from using their resources, critical infrastructures, core technologies or other advantages, to undermine the rights of other countries … to independent control of ICTs, or to threaten other countries’ political, economic and social security.
… and the points at the omission of paragraphs on patriotic hackers (kind of unlawful cyber combatants posing asymmetric risks for the West):
Any UN voluntary code should include a pledge by nations to control patriotic hackers, militias, or other groups that are ignored, encouraged, or even supported by governments. This has been a scourge of modern cyber conflict and is a lead cause of instability in cyberspace, helping to escalate crises. And Russia and China are the particular sponsors of such groups as seen in Estonia and Georgia (Russia) and against the United States after Hainan Island incident and bombing of the Beijing embassy in Belgrade (China).
(Annotation: In Germany, courts have ruled human-bot-driven DDoS attacks legal and likened them to likewise legal sit-ins, which block traffic from and to property in the physical world.)
Update: The Council of Foreign Relations has a blog entry – alas too short – on the Chinese perspective of the geopolitics in cyberspace.
But taken together with China’s proposed International Code of Conduct for Information Security, they suggest that some observers in China feel that the United States has gained momentum in cyberspace with the introduction of the International Strategy for Cyberspace and the DoD Strategy for Operating in Cyberspace.
African news outlet coastweek.com reports from the ongoing Internet Governance Forum:
According to International Telecommunications Union (ITU) Secretary General Hamadoun Toure, governments should put in place round the clock Internet surveillance to prevent cyber-crime.
Toure called for the need for governments and the private sector to enter into partnership to ensure measures to guard Internet users in order to realize the full benefits of information technology growth.
Has Touré really called for “round the clock Internet surveillance”?
Anyhow, the design of coastweek.com makes me feel 15 years younger.
Interesting argument by David Eaves regarding the Open Government Partnership:
The OGP is part of a 21st century containment policy. And I’d go further, it is a effort to forge a new axis around which America specifically, and a broader democratic camp more generally, may seek to organize allies and rally its camp. (…)
Who is being contained? [China, Iran, Russia, Saudi Arabia, Pakistan] (…)
It’s no trivial coincidence that on the day of the OGP launch the President announced the United States first fulfilled commitment would be its decision to join the Extractive Industries Transparency Initiative (EITI). (…)
This is America essentially signalling to African people and their leaders – do business with us, and we will help prevent corruption in your country. We will let you know if officials get paid off by our corporations.
More data would certainly help to substantiate the argument, which in its current state is absorbing, but not compelling.
It would be interesting to link strategic US foreign policy thinking to ‘openness’ in governance – I’m thinking of, e.g., Anne-Marie Slaughter’s recent Foreign Affairs article, in which she proposed for the U.S. to take the role of a central node in a highly networked and, governance-wise, deconstructed world. The OGP could be one element in the operationalisation of this strategy.
More an more reports on the costs of Conficker have trickled in recently. Here’s another one from the CISO (you know that acronym, right?) of brewery giant SABMiller, producing delicious booze such as Foster’s, Miller, and Grolsch:
“Last April, I had to close down the Romanian operation for four hours because of the Conficker virus. It cost us £7.2 million [the revenue target lost, based on how much the breweries would have produced for sale during that time]”
He sold the halt of the beer production site to his board by arguing that
that the effect on the company’s market capitalisation would be far worse if SABMiller had manufactured and sold poisoned stock
Shouldn’t attack vectors for Conficker be barricaded by now? Of course, they could have their corporate network still running on old, un-patched Windows platforms. (Businesses have been strong supporters of the “never change a running system” mantra, though remaining IT vulnerabilities in aged gear challenges this stance.) But “poisoned stock”? Where should that come from? Do they run their beer SCADA systems on machines that would not discover a manipulation of its software stack? Where is the link between Conficker and “poisoned stock”?
Joint request by May, Strickling, Beers:
The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.
DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.
I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.
Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.
Update. Joel Harding with regard to Microsoft’s role in botnet response:
DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?
Margarita Mathiopoulos is with her back to the wall because of her ongoing plagiarism investigation. I guess she’s first among the Transatlanticist wing of the German foreign policy elite to put it that bluntly:
If it fails, the blame will be on Germany. … All eyes are on Berlin. There is a strong, if silent, expectation in European capitals — as in Washington — that Germany will not forget its historic obligation to those who helped it rise out of the ashes of World War II and reunite.
… and pulls a Schmitt (Carl, that is):
First and foremost, Merkel and Sarkozy can and should declare that the euro zone is in a “state of emergency.” This would allow them (…) Although this would require revising the Lisbon Treaty, a state of emergency would make it possible to take action immediately.
…and asks to give the Germans some boots that are not made for walking:
Germany will only agree to the introduction of eurobonds to spread the responsibility for government debt across the euro zone if sinning countries can be punished.
Brief, informative literature review by Leonhard Dobusch on public domain, its conceptualisation, political regulation, and societal relevance. One of Leonhard’s arguments is that we have no systematic model about the real-world phenomena that can be categorised as public domain:
Empirically, however, a systematic ‘map’ of the public domain is still missing. We do not know yet, what public domain phenomena have the strongest practical relevance for actors in different fields. (p. 21)
This paper tried to provide a survey of our current scholarly knowledge on these issues, which might function as a starting point for further, particularly empirical investigations of the public domain. (p. 23)
Starting to fill these gaps was presumably one of the motivations for this paper. There is decent empirical research going on in that field, but indeed, we lack a systematic survey. The characteristics of public domain can also be found in empirical phenomena other than public domain or commons. Peer production – kind of a sibling of the aforementioned – might serve as an example.
—
Noteworthy is the locus dissertatii of this paper, the “1st Berlin Symposium on Internet and Society” hosted by Google’s German science proxy, the Internet & Society Institute at the Humboldt University Berlin, which is to be unleashed the day before.